Due to the inadequate mamagement of information security expectations and various unexpected information technology incidents, small and medium enterprises that lose data or have to cope with a lack of data over a certain period of time may lose business commissions or customers. A solution to this problem may be the regulated administration of information security, which may lower the amount of risks. Enterprises in this sector generally have not enough human, material and information technology resources to perform tasks of this sort. The controversy seems to be an irresoluble one; the authors attempt to provide help to initiate a solution to the issue that remains above the ‘still acceptable’ level. The paper surveys several professional sources as well as standards, recommendations, and methodologies applicable in the field. The authors of this paper consciously strive to differentiate between information technology security and information security.